Event Consumers for an Event Management System

ABSTRACT

An event management system includes an email consumer for handling email, a paging consumer, an active scripting consumer, a log file consumer, an event log consumer, and a command line consumer. The events in the event management system are represented as objects and each consumer is represented as a class. The system also includes an event forwarding consumer to forward events. The event management system allows the creation of an instance of an event filter which filters events based on event filter properties. The system also allows the creation of an instance of an event consumer which defines an action and creation of a binding between the instance of the event filter and the instance of the event consumer such that the binding includes properties identifying the instance of the event filter and the instance of the event consumer.

RELATED APPLICATIONS

This application claims the benefit of and is a continuation applicationof U.S. patent application Ser. No. 09/875,775, filed Jun. 5, 2001,which in turn claims the benefit of U.S. Provisional Application No.60/210,330, filed Jun. 7, 2000.

TECHNICAL FIELD

The present invention relates to computing systems and, moreparticularly, to event consumers, such as application programs, thatreceive events generated by components, services and applications in acomputing environment.

BACKGROUND

Computer systems, such as servers and desktop personal computers, areexpected to operate without constant monitoring. These computer systemstypically perform various tasks without the user's knowledge. Whenperforming these tasks, the computer system often encounters events thatrequire a particular action (such as logging the event, generating analert for a particular system or application, or performing an action inresponse to the event). Various mechanisms are available to handle theseevents.

A computing enterprise typically includes one or more networks,services, and systems that exchange data and other information with oneanother. The enterprise may include one or more security mechanisms tosafeguard data and authenticate users and may utilize one or moredifferent data transmission protocols. At any particular time, one ormore networks, services or systems may be down (e.g., powered down ordisconnected from one or more networks). Networks, services or systemscan be down for scheduled maintenance, upgrades, overload or failure.Application programs attempting to obtain event data must contend withthe various networks, services, and systems in the enterprise when theyare down. Additionally, application programs must contend with thesecurity and network topology limitations of the enterprise as well asthe various protocols used in the enterprise.

A typical computing environment includes multiple event consumers (i.e.,applications and other routines that use various event data generated byone or more event sources or event providers). These event consumers aretypically implemented by network administrators or other individualsresponsible for the operation of the computing environment. Anadministrator generally implements many different event consumers toproperly handle the various events generated throughout the computingenvironment. A particular administrator may be responsible for a portionof the computing environment, such as the computing devices in aparticular building or the computing devices associated with aparticular department in an organization. Different administrators mayimplement duplicate (or substantially similar) event consumers stored indifferent portions of the computing environment. The creation ofduplicate event consumers is wasteful of the administrators' time andwastes storage space by storing redundant event consumers.

The system and method described herein addresses these limitations byproviding a standard set of event consumers for handling various commonevents (i.e., events that are likely to be handled by multipleadministrators). The system and method described herein also provides astandard schema that allows event consumers to use event data withoutrequiring knowledge of the source of the event data.

SUMMARY

The system and method described herein provide a standard set ofcommonly used event consumers, thereby eliminating the need for anadministrator to implement those event consumers. Providing a standardset of common event consumers also reduces the number of redundantconsumers stored throughout the computing environment. The use of astandard schema for defining event data allows an event consumer toaccept and used event data from any event source. The event consumerdoes not require any knowledge about the event source to process theevent. Similarly, the event source does not require any knowledge of theevent consumer to generate event data.

In one embodiment, an event management system includes an email consumerfor handling email, a paging consumer, an active scripting consumer, alog file consumer, an event log consumer, and a command line consumer.

In a described embodiment, a procedure includes creating an instance ofan event filter which filters events based on event filter properties.The procedure also includes creating an instance of an event consumerwhich defines an action and creating a binding between the instance ofthe event filter and the instance of the event consumer.

In a particular embodiment, a schema includes at least one eventconsumer class that represents a consumer of an event. The schema alsoincludes at least one event filter class that represents event filteringparameters and at least one binding class that represents theassociation of at least one event consumer and at least one eventfilter.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 illustrates a block diagram of a system that receives eventinformation from multiple event providers and provides event informationto multiple event consumers.

FIG. 2 illustrates a block diagram of a system that receives events andlogs those events to an event log.

FIG. 3 is a flow diagram illustrating a procedure for implementing eventconsumers.

FIG. 4 illustrates the binding of an instance of an event consumer withan instance of an event filter.

FIG. 5 illustrates the forwarding of events from multiple event sourcesto a common event target.

FIG. 6 illustrates an example of a suitable operating environment inwhich the event-handling system and method may be implemented.

DETAILED DESCRIPTION

The system and method described herein provide a standard set of eventconsumers for use throughout a computing environment. This standard setof event consumers includes an email consumer (such as an SMTPconsumer), a script consumer, a paging consumer, a log to file consumer,an event log consumer, a command line consumer, and an event forwardingconsumer. The use of these standard event consumers eliminates the needfor administrators to implement such consumers and reduces the number ofredundant (or substantially similar) consumers in the computingenvironment. A standard schema is described for defining and handlingevent data. This standard schema allows an event consumer to utilizeevent data from any source without requiring any knowledge of the eventsource. Additionally, the event data can be generated without knowledgeof the event consumer that may utilize the event data.

Web-Based Enterprise Management (WBEM) provides uniform access tomanagement information throughout an enterprise. WBEM is an industryinitiative to develop technology for accessing management information inan enterprise environment. This management information includes, forexample, information on the state of system memory, inventories ofcurrently installed client applications, and other information relatedto the status of the system. A particular embodiment of theevent-handling system is implemented using Windows® ManagementInstrumentation (WMI) developed by Microsoft Corporation of Redmond,Wash., which provides an infrastructure to handle various eventsgenerated by event sources throughout an enterprise.

The WMI technology enables systems, applications, networks, and othermanaged components to be represented using the Common Information Model(CIM) designed by the Distributed Management Task Force (DMTF). CIM isan extensible data model for representing objects that exist in typicalmanagement environments. CIM is able to model anything in the managedenvironment, regardless of the location of the data source. The ManagedObject Format (MOF) language is used to define and store modeled data.In addition to data modeling, WMI provides a set of base services thatinclude query-based information retrieval and event notification. Accessto these services and to the management data is provided through asingle Component Object Model (COM) programming interface.

The WMI schema includes multiple classes. Each WMI class is associatedwith a system or subsystem in, for example, an enterprise. WMI classesdefine the basic units of management. Each WMI class is a template for atype of managed object. For example, Win32 DiskDrive is a modelrepresenting a physical disk drive. For each physical disk drive thatexists, there is an instance of the Win32 DiskDrive class. WMI classesmay contain properties, which describe the data of the class and themethods (which describe the behavior of the class).

WMI classes describe managed objects that are independent of aparticular implementation or technology. WMI includes an eventingsubsystem that follows the publish-subscribe model, in which an eventconsumer subscribes for a selection of events (generated by one or moreevent providers) and performs an action as a result of receiving theevent. WMI also provides a centralized mechanism for collecting andstoring event data. This stored event data is accessible by othersystems via WMI tools and/or application programming interfaces (APIs).

Although particular embodiments are discussed herein as using WMI,alternate embodiments may utilize any enterprise management system orapplication, whether web-based or otherwise. The event providers andevent consumers discussed herein are selected for purposes ofexplanation. The teachings of the present invention can be used with anytype of event provider and any type of event consumer. Additionally, theevent-handling system and method described herein can be applied to anytype of enterprise or other arrangement of computing devices,applications, and/or networks.

FIG. 1 illustrates a block diagram of a system 100 that receives eventinformation from multiple event providers 108 (i.e., event sources) andprovides event information to multiple event consumers 102 (i.e., theusers of the event data). System 100 includes a WMI module 106, whichreceives event data from multiple event sources 108 and receivesrequests for information (e.g., notification of particular events) frommultiple event consumers 102. Event sources 108 may include, forexample, managed nodes or managed systems in a network. The multipleevent sources are identified as event providers 110. The multiple eventconsumers are identified as applications 104.

WMI module 106 shown in FIG. 1 represents the managed node layer of theWMI module. As discussed below, the WMI module 106 may also include acentral store layer, which may include user interface functionality. Thedifferent layers of WMI module 106 manage different types of activitiesand/or perform different types of functions.

Event providers 110 include, for example, systems, services orapplications that generate event data. An exemplary event provider is adisk drive (or an application that monitors the status of a disk drive).The disk drive may generate an event indicating the available storagecapacity on the disk drive or indicating the amount of data currentlystored on the disk drive. The disk drive may also generate an eventindicating that the disk drive is nearly full of data (e.g., whenninety-five percent or more of the disk drive's capacity is used).

Event consumers 102 may request to be notified of certain events (alsoreferred to as “subscribing” to an event). An example event consumer isan application that manages multiple storage devices in an enterprise.The application may request to receive events generated by any of thedisk drives or other storage devices in the enterprise. The applicationcan use this event information to distribute storage tasks among themultiple storage devices based on the available capacity of each deviceand/or the quantity of read or write requests received by each storagedevice.

FIG. 2 illustrates a block diagram of a system 150 that receives eventsand logs those events to an event log. System 150 includes a centralstore layer of WMI module 106, which is coupled to multiple userinterface (UI) applications 152. UI applications 152 are used to accessWMI module 106 to retrieve data, manage systems, and configure variousenterprise management parameters. The central store layer of WMI module106 provides for the centralized logging and storage of event datareceived from various nodes and various networks in an enterprise. WMImodule 106 is also coupled to receive events 162 from one or more eventsources. For example, events may be received from the managed node layerof WMI module 106, discussed above with respect to FIG. 1, from an eventforwarding application (e.g., application 104), or from one or moreevent providers (e.g., event provider 110).

System 150 also includes a set of policies 160, which are accessible byWMI module 106. Policies 160 may control the configuration of one ormore systems in the enterprise. Other policies may define variousactivities, such as event filtering, event correlation, and theforwarding of events to particular devices or applications. A database156 is coupled to WMI module 106. Database 156 stores variousinformation related to the enterprise. For example, database 156 canstore event data (i.e., creating an event log), policy data, andenterprise configuration information.

WMI module 106 is also coupled to an event log 158. The event log 158uses WMI features to provide a distributed architecture that is capableof selecting, filtering, correlating, forwarding, storing, anddelivering event data in an enterprise. The event log 158 allows users,such as administrators, to request data related to a particular event,request data from a particular node or device in the enterprise, definethe manner in which events are correlated with one another, define howcertain events should be forwarded, and define how to store event data.Data requests may be accessed from the event log 158 using, for example,a particular UI application 152. The event log 158 uses an eventprovider model that allows an application, device or driver to generateevents.

The event log 158 provides a policy-based administration of theenterprise. The policy infrastructure allows administrators to set apolicy in the Directory Service (DS) and the WMI module ensures that theproper set of WMI objects (e.g., filters, bindings, correlators,consumers, and configuration objects) are delivered to the properdevices or applications in the enterprise.

Table 1 below identifies various types of event providers available in aparticular embodiment. Additionally, the table includes a description ofthe events generated by each event provider. For example, the Win32Provider generates events that include information related to theoperating system, computer system, peripheral devices, file systems, andsecurity for a particular device (such as a computer system) in theenterprise. TABLE 1 Event Provider Description of Events Provided Win32Provider Supplies information about the operating system, computersystem, peripheral devices, file systems, and security. WDM ProviderSupplies low-level Windows Driver Model (WDM) information for user inputdevices, storage devices, network interfaces, and communications ports.Event Log Provider Allows the reading of Windows NT event log entries,controls the configuration of event log administrative options, andevent log backup. Registry Provider Allows registry keys to be created,read, and written. WMI events can be generated when specified Registrykeys are modified. Performance Exposes the raw performance counterCounter Provider information used to compute various performance values.Active Directory Acts as a gateway to information Provider stored inMicrosoft Active Directory services. Allows information from both WMIand Active Directory to be accessed using a single API. WindowsInstaller Supplies information about Provider applications installedwith the Windows Installer. SNMP Provider Acts as a gateway to systemsand devices that use SNMP for management. Allows SNMP traps to beautomatically mapped to WMI events.

FIG. 3 is a flow diagram illustrating a procedure 200 for implementingevent consumers. Initially, a customer (such as an administrator)creates an instance of an event filter (block 202) to specify the eventsthat should trigger an action. Next, the customer creates an instance ofan event consumer for the desired action (block 204) to specify theparameters of the action to be taken. The customer then creates anassociation that binds the event filter with the event consumer (block206). This association indicates that the specified action is to beperformed when events matching the event filter criteria occur. Acustomer can bind one event filter to several event consumers,indicating that when matching events occur, several actions are to beperformed. Similarly, a customer can bind one event consumer to severalevent filters such that the specified action is performed wheneverevents matching any of the event filters occur.

Referring again to FIG. 3, if additional events are to be associatedwith the event class (block 208), then procedure 200 branches to block210, where the customer creates an association that binds one or moreadditional event filters with the event consumer. If additional eventconsumers are to be associated with the event filter (block 212), thenprocedure 200 branches to block 214, where the customer creates anassociation that binds the event filter with one or more additionalevent consumers. The procedure illustrated in FIG. 3 may be repeated, asnecessary, to implement additional event consumers.

FIG. 4 illustrates the binding of an instance of an event consumer withan instance of an event filter. An event consumer 300 is a class thatincludes one or more properties, labeled Property 1, Property 2, . . .Property N. The event consumer properties specify one or more actions tobe performed in response to the occurrence of a particular event. Eventconsumer 300 includes multiple subclasses 304. In a particularembodiment, the subclasses of event consumer 300 are an SMTP consumerfor handling mail messages, a script consumer for executing scripts, apaging consumer for initiating paging messages, a log to file consumerto log event data to a file, an NT event log consumer to log event datato an NT event log, a command line consumer for executing command lineinstructions, and an event forwarding consumer to forward events fromone system to another. These various subclasses are discussed in greaterdetail below.

An event filter 306 is a class that includes one or more properties,labeled Property 1, Property 2, . . . Property N. The event filterproperties identify the events that should cause one or more actions tobe performed. A binding 308 is a class that includes at least twoproperties, labeled Property 1 and Property 2. An instance of binding308 creates an association between an instance of an event consumer 302and an instance of an event filter 306. The two binding propertiesidentify event consumer 302 and event filter 306 as the two instancesthat are bound together by binding 308. After event consumer 302 andevent filter 306 are bound together, the event consumer is executed whenthe filter event occurs. Specific examples of event consumers, eventfilters and the bindings between them are discussed below.

If the action designated by a consumer faills to execute (the definitionof a failure is specified with every consumer type), WMI will generate aConsumerFailureEvent event. The event contains as properties both theoriginal event that failed to be delivered, and the logical consumerinstance representing the failing consumer. Interested clients canregister to receive these events, or perform specific actions upon theirreceipt.

In a number of event consumers, an occasion arises to create a stringthat is partly configured in the event consumer instance, and partlyderived from the event in question. For these cases, a template languagesimilar to the NT environment variable specification is used. Followingare some examples of the syntax used in the templates:

-   “Some Text Here” will always produce “Some Text Here”-   “%CPUUtilization%” will always produce the value of the    CPUUtilization property of the event being delivered, converted to a    string if necessary, e.g. “90”-   “The CPU utilization of my processor is %CPUUtilization% at this    time” will embed the value of the CPUUtilization property of the    event into the string, producing something like “The CPU utilization    of my processor is 90 at this time”.-   “%Targetlnstance.CPUUtilization%” will retrieve the CPUUtilization    property of the embedded instance in TargetInstance.-   “%%” produces a single % sign-   If the property being retrieved is an array, the entire array will    be produced, in the format of (1, 5, 10, 1024). If there is only one    element in the array, parenthesis will be omitted. If there are no    elements in the array, “( )” will be produced.-   If a property is an embedded object, the MOF representation of the    object will be produced (similar to GetObjectText).-   If a property of an array of embedded objects is requested, it is    treated as a property with the value of an array. For instance,    %MyEvents.Targetlnstance.DriveLetter% could produce ‘(“c:”, “d:”)’    if MyEvents is an array of embedded instance modification events.

If a property of a consumer class is interpreted to be a templateaccording to the above rules, it is marked with a [template] qualifier.

In a particular embodiment, the event consumers described herein areimplemented as dynamically linked libraries (DLLs), except for theactive scripting consumer, which is discussed below. In this embodiment,the event consumers execute in the security context of the LocalSystem.Further, only authorized users (e.g., administrators) are permitted toconfigure standard event consumers of the type described herein. Thelist of authorized users may vary from one event consumer to another.

Details regarding the various event consumers and their associatedproperties are described below.

Log File Event Consumer

This event consumer will write customized strings to a text log filewhenever events are delivered to the consumer. The strings will beseparated by end-of-line sequences. The logical consumer class for thelog file event consumer is: class LogFileEventConsumer : _EventConsumer{  [key] string Name;  string Filename;  [template] string Text;  uint64MaximumFileSize;  boolean IsUnicode; };

where

-   “Filename” is the name of the file to which the log entries are    appended-   “Text” is the template (as described above) for the text of the log    entry-   “MaximumFileSize” is the maximum size (in bytes) that the log file    will be allowed to grow. If the primary file exceeds its maximum    size, its contents will be moved to another file, and the primary    file will be emptied. Default is 0, which will be interpreted as no    limit.-   “IsUnicode” is true if the file in question should be a UNICODE (as    opposed to MBC) file.

The naming structure for the backup files will be as follows:

-   If the original filename is 8.3, the extension will be replaced by a    string of the format “001”, “002”, etc, with the smallest number    larger than all those used chosen each time (unless “999” is used,    in which case the smallest unused number is chosen).-   If the original filename is not 8.3, the suffix described above will    be appended to the filename.

The file is opened for shared write access. Any failure to open or writeto the file will be considered a failure of the action (this includesthe case where another application has the file opened with exclusiveaccess). The user who created the binding as identified by theCreatorSID property must have write access to the file in question atthe time the event is generated in order for the consumer to write tothe file.

Command-Line Event Consumer

This event consumer can launch an arbitrary process whenever an event isdelivered to the consumer. The process will be launched in theLocalSystem security context. The logical consumer class for thecommand-line event consumer is: class WMI_CommandLineEventConsumer :_EventConsumer {  [key] string Name;  [not_null] string ExecutablePath; [template] string CommandLineTemplate;  boolean UseDefaultErrorMode =FALSE;  boolean CreateNewConsole = FALSE;  boolean CreateNewProcessGroup= FALSE;  boolean CreateSeparateWowVdm = FALSE;  booleanCreateSharedWowVdm = FALSE;  sint32 Priority = 32;  stringWorkingDirectory;  string DesktopName;  string WindowTitle;  uint32XCoordinate;  uint32 YCoordinate;  uint32 XSize;  uint32 YSize;  uint32XNumCharacters;  uint32 YNumCharacters;  uint32 FillAttribute;  uint32ShowWindowCommand;  boolean ForceOnFeedback = FALSE;  booleanForceOffFeedback = FALSE;  boolean RunInteractively = FALSE;  uint32KillTimeout = 0; };

where all the parameters are as documented in the Win32 SoftwareDevelopers Kit (SDK), available from Microsoft Corporation of Redmond,Wash., for CreateProcess function (and its parameter STARTUPINFO),except:

-   “CommandLineTemplate” is a template (as described above), e.g.    “C:\winnt\runreport %Targetlnstance.DriveLetter%”-   “RunInteractively” can be set to TRUE to force the process to be    launched in the interactive winstation. Otherwise, the process is    launched in the default service winstation. This property overrides    the “DesktopName”, which can also be used to select a specific    winstation and desktop.-   “KillTimeout” can be specified to have WinMgmt kill the launched    process after a specified number of seconds.

Failure to launch the process (CreateProcess) will be considered afailure of the action. Failure return code from the process will not beconsidered a failure of the action. In one embodiment, only localadministrators are allowed to register this event consumer, because theprocess in question will run as LocalSystem.

NT Event Log Event Consumer

NT event log event consumer will log a specific message to the NT EventLog whenever an event is delivered to the consumer.

The NT Event Log requires that the message text of all entries be placedin a message DLL, properly installed on the system on which events arelogged. This event consumer does not change this requirement. It isstill the responsibility of the customer to properly register an NTEvent Log “Source” with the message texts; once that is done, however,this consumer can log NT Event Log entries based on that source wheneverdesignated WMI events occur.

The logical consumer class for the NT event log event consumer is: classNTEventLogEventConsumer : _EventConsumer {  [key] string Name;  stringUNCServerName;  string SourceName;  [not_null] uint32 EventID;  uint32EventType = 1;  uint32 Category;  [template] stringInsertionStringTemplates[ ] = {“”}; };

where

-   “UNCServerName” is the name of the machine on which to log the    event, or NULL if the machine is a local server.-   “SourceName” is the name of the NT Event Log Source in which the    message is to be found. As mentioned above, the customer is assumed    to have registered a DLL with the necessary messages under this    source.-   “EventID” is the id of the event message in the Source.-   “EventType” is the type of the event being generated, e.g.    Informational, Warning, or Error.-   “Category” is as documented in the Win32 SDK ReportEvent function.-   “InsertionStringTemplates” is an array of templates whose values are    used as the insertion strings for the event log record.

Failure to write the event (ReportEvent) is considered a failure. Lackof installed message DLL for the Source, use of out-of-range IDs, orinvalid number of Insertion Strings are not considered failures.

Active Scripting Event Consumer

The active scripting event consumer will execute a predefined script inan arbitrary scripting language whenever an event is delivered to theconsumer. While the text of the script itself is specified in the eventconsumer instance, the script will have access to the event instance inthe script environment variable TargetEvent. For instance,MsgBox TargetEvent.TargetInstance.DriveLetter

in VBScript would bring up a message box with the drive letter of theevent in the message box.

The scripts will execute in the security context of LocalSystem. In aparticular embodiment, as a security measure to prevent abuse, only alocal system administrator or a domain administrator may configure theactive scripting event consumer. The access rights are not checked untilruntime. Once the consumer is configured, any user may trigger the eventthat causes the script to be executed.

The logical consumer class for the active scripting event consumer is:class ActiveScriptEventConsumer : _EventConsumer {  [key] string Name; string ScriptingEngine;  string ScriptText;  string ScriptFileName; [units(“seconds”)] uint32 KillTimeout; };

where

-   “ScriptingEngine” is the ProgID of the scripting engine to use, e.g.    “VBScript” or “JScript”.-   “ScriptText” is the text of the script to execute. “ScriptText” may    be NULL, in which case ScriptFileName is used.-   “ScriptFileName” is the name of the file from which the text of the    script is read, unless ScriptText is specified. Only one of    “ScriptText” or “ScriptFileName” may have a value.-   “KillTimeout” specifies the number of seconds after which the script    will be terminated if not already finished. Killing a script via the    timeout is considered an error. If “KillTimeout” is zero or NULL,    the script will not be terminated.

There is also a global configuration class in the root\cimv2 namespacethat applies to all instances of the consumer:    classScriptingStandardConsumerSetting : CIM_Setting    {     string SettingID= “ScriptingStandardConsumerSetting”;     string Caption = “ScriptingStandard Consumer Setting”;     string Description = “Registration datacommon to all instances of the Scripting Standard Consumer”;     uint32MaximumScripts;     uint32 Timeout;    };

where

-   “SettingID”, “Caption”, and “Description” identify and document the    class, and should not be overridden.-   “MaximumScripts” specifies the maximum number of scripts that will    be run from any one instance of the consumer before starting a new    instance. Default value: 300. A value of zero or NULL will result in    the default being used.-   “Timeout” specifies the maximum amount of time in minutes that the    consumer will be allowed to run before starting a new instance of    the consumer. If zero, lifetime is controlled by the    “MaximumScripts” property. Valid Range: 0-71,000.

The primary purpose of the “MaximumScripts” and “TimeOut” properties isto ensure that the consumer will eventually shut down, thereby removingany memory or resource leaks caused by poorly written scripts. Failureto load the scripting engine or parse and validate the script isconsidered a failure. Error return code from the script is likewiseconsidered a failure. The active scripting event consumer will run in aseparate process due to its inherent danger.

SMTP Event Consumer

The SMTP event consumer will send an e-mail message via SMTP each timean event is delivered to the consumer. An SMTP server must exist on thenetwork for the SMTP event consumer to work properly. The logicalconsumer class for the SMTP event consumer is: class SMTPEventConsumer :_EventConsumer {  [key] string Name;  string SMTPServer;  stringSubject;  string Message;  [not_null] string ToLine;  string CcLine; string BccLine; };

where

-   “SMTPServer” is the name of the SMTP server through which mail will    be sent. For example, IP addresses, DNS or NetBIOS names can be used    to identify the SMTP server.-   “Subject” is the template for the subject of the message.-   “Message” is the template for the body of the message.-   “ToLine” is the semi-colon-separated list of addresses to send the    message to.-   “CCLine” is the semi-colon-separated list of addresses to CC.-   “BccLine” is the semi-colon-separated list of addresses to BCC.

Failure to send mail (error return code from the service) is considereda failure.

Paging Event Consumer

The paging event consumer will page an arbitrary phone number with anarbitrary message, using industry-standard TAP protocol. No TAPIprovider needs to be installed on the server. The logical consumer classfor the paging event consumer is: class TAPIEventConsumer :_EventConsumer {  [key] string Name;  string PhoneNumber;  string ID; string Message;  string Port;  uint32 BaudRate;  stringModemSetupString;  uint32 AnswerTimeout = 30; };

where

-   “PhoneNumber” is the number to dial. Any non-numeric symbols in this    string are ignored.-   “ID” is the paging subscriber ID.-   “Message” is the alphanumeric message to be sent,-   “Port” is the port to which the modem is connected (e.g. “COMi”).-   “BaudRate” is the maximum baud rate to use. If left NULL, the    maximum available rate will be used.-   “ModemSetupString” should be left NULL except when the TAP server is    not compliant with the protocol's suggested defaults.-   “AnswerTimeout” is the number of seconds to wait for the server to    pick up the phone. The default value is 30 seconds.

FIG. 5 illustrates the forwarding of events from multiple event sourcesto a common event target. A pair of event sources 402 and 404 eachforward certain events (determined by the appropriate filter properties)to an event target 406. In a particular embodiment, event target 406 isa central event logging computer that logs event data from manydifferent event sources. Although FIG. 5 illustrates two event sources402 and 404, alternate embodiments may include any number of eventsources coupled to event target 406.

Each event source 402 and 404 includes an instance of a forwardingconsumer, an instance of a filter, and an instance of a binding thatbinds the forwarding consumer to the filter. Event target 406 includesan instance of a log-to-file consumer, an instance of a filter, and aninstance of a binding that binds the log-to-file consumer to the filter.Events received by or generated by event source 402 or 404 that meet thefilter criteria (as defined by the filter properties) are forwarded bythe forwarding consumer to the event target 406 for logging. Eventsreceived by event target 406 may be processed or forwarded to anotherevent target (not shown) for processing or further forwarding. Thus, aparticular event may be forwarded through multiple devices until adestination device is reached.

Forwarding Consumer Provider

The Forwarding Consumer Provider provides sinks (e.g., a piece of codethat accepts events) for the Data and Event Logical Forwarding Consumerinstances. It exists as a DLL and is an in-proc COM object.

The forwarding consumer provider uses the “WbemMessageSender” COMobjects to send messages. This insulates the forwarding consumerprovider from sending messages via MSMQ, Named-Pipes, etc. See the WBEMMessaging Layer specification for more details.

The “IwbemObjectInternals” interface is used for marshaling objects. Theforwarding consumer will not send class information as part of themessage. It will send a classname, decoration and instance data. Whensending multiple objects, their class and decoration data is packagedonce. The “IwbemObjectInternals” interface is an internal COM interface.

Format: DWORD dwSig; // FCON in ascii char cVersionMajor; // 1 charcVersionMinor; // 0 char cType; // 0 - for event, 1 for data char cLast;// 0 - for FALSE, 1 - for TRUE DWORD dwReserved; // not used GUIDCorrelationId; // not used for event types DWORD dwObjs; // num objs inthis message String ClassName - null terminated. Decoration Part // onlyone. Instance Part // dwObjs instances

Table 2 below is used to determine the target queue when one is notspecified. See Forwarding Queues for more details. TABLE 2 SenderOperation Mode Delivery Class Target Queue N/A Synchronous N/A On-LineExpress Public, Private (D) On-Line Guaranteed Public Guaranteed,Private Guaranteed (D) Off-Line domain Express Private (D) memberOff-Line domain Guaranteed Private Guaranteed (D) member Off-Lineworkgroup Express Private (D) Off-Line workgroup Guaranteed PrivateGuaranteed (D)(D) - Direct MSMQ Format NameEvent Forwarding Consumer

Each event or event batch that is indicated to the consumer will bepackaged into a single message and sent to the target.

Data Forwarding Consumer

When obtaining the results of the query, the results will be packagedinto one or more messages. The number of objects in a message depends ontheir size. The granularity of these messages is around 512K. There willbe an indication in the last message that it is the last one. This isset in the “last” property of the forwarded consumer message. This willsignal the event provider to signal a null termination event.

Forwarded Message Provider

There are two types of forwarding queues: Express and Guaranteed. Bothqueues have identical properties, they are just serviced differently.When the machine is online, there will be two MSMQ queues for each type:Public and Private. When the machine is offline, there will be only oneMSMQ queue for each type: Private.

The reason for the two queues in the online case is as follows. If thesender is offline, then it has no way of knowing what queues thereceiver has. If we always create/open and service both the public andprivate queues, then there should not be any problems. The sender wouldalways send to the private queues in this case. There is virtually noextra overhead in servicing the extra queues since overlapped i/o can beused. All of the queues are configured externally through MSMQ provideror through the MSMQ snap-in.

Queue Initialization occurs the first time that the CIMV2 namespace goesactive. See below for more details. If online at the time ofinitialization, then the public and private versions of the queue willbe created. If offline at the time of initialization, then only theprivate versions of the queue will be created.

Forwarding Event Provider

Forwarding Event Provider is called regardless of its activation status.Its “ProvideEvents( )” will always be called with a sink. When receivingthis sink, the forwarding event provider starts servicing the queues.Since only guaranteed and express queues are serviced, there is littleoverhead in servicing them when no device is interested in the queues.The queues are serviced using the express and guaranteed receiverssupplied by the “WbemMessageReceiver” layer.

WMI Event Forwarding

WMI Event Forwarding refers to the process of subscribing to WMI Eventsthat are signaled on one machine and directing them to be signaled asWMI Events on another machine. At a high level, this is accomplished bysubscribing a standard WMI Event Consumer, called the Event ForwardingConsumer, to the events to be forwarded. The action taken by thisconsumer when it is notified of events is to forward the events toremote machines. For each forwarded event that is received at thedestination machine, a new WMI Event, called a Forwarded Event, iscreated that contains the original event and is signaled. Consumersinterested in events that are forwarded to a machine, subscribe toForwarded Events on that machine.

Event Forwarding Consumer

An event forwarding consumer is subscribed to events using the normalWMI event model. An instance of the event forwarding logical consumer iscreated and is bound to an event filter that describes the events thatare to be forwarded. The way that the event forwarding consumer instanceis configured directs the system on how to forward events. Destinationaddresses, Quality of Service (QoS), and security information areexamples of configuration information exposed to the user.

The following is an abstract definition of a forwarding consumer. Inlater versions, there may be forwarding consumers that forward messagesother than events. For now we are concerned with forwarding events.[abstract] class MSFT_ForwardingConsumer : _EventConsumer {    [KEY]STRING NAME;       string Targets[ ];       [values{ 1, 2, 3, 4},value_map{ “Synchronous”, “Express”, “Guaranteed”, “Transactional”}]   sint32 ForwardingQoS = 2;       boolean Authenticate = TRUE;      boolean Encryption = FALSE;       string TargetSD; }; classMSFT_EventForwardingConsumer : MSFT_ForwardingConsumer { };

where

“Name” is the key property identifying the instance of a“MSFT_ForwardingConsumer”.

“Targets” identifies the destinations of the forwarded messages. Thisproperty is an array, so it can contain multiple destinations.

“ForwardingQoS” specifies the QoS to be used for the forwarding.

“Authenticate” tells the sender if authentication information needs tobe part of the message. If the sending machine belongs to a workgroup,then this property is ignored.

“Encryption” tells the sender to encrypt the message body beforesending. If the sending machine belongs to a workgroup, then thisproperty is ignored. Encryption can be used when the sending machine ison-line.

“TargetSD” is a textual representation of a security descriptor usingSDDL. This security descriptor is used for controlling which securityidentities can subscribe to the forwarded event at the receiving end.

Forwarded Events

A forwarding consumer forwards information using a forwarded message.When a forwarded message is received at the destination it is surfacedusing a WMI Event. This event is defined in the root\cimv2 namespace andits schema looks like: class Win32_WmiForwardedMessageEvent :_ExtrinsicEvent {  datetime Time;  string Machine;  string Account; boolean Authenticated; };

where

“Time” is the time the message was sent.

“Machine” is the machine the message was sent from.

“Account” is the Security Account the message was sent under.

“Authenticated” states whether the message was authenticated by thereceiver.

This class is intended to be overridden by concrete event types. Sincethe concern is with forwarding events, here, a concrete event class isdefined which is derived from the “Win32_WmiForwardedMessageEvent”.class Win32_WmiForwardedEvent : Win32_WmiForwardedEvent {   _EventEvent; };

where

“Event” is the original event that was delivered to the forwardingconsumer on the sender.

Events can be forwarded using a synchronous, express, or guaranteedquality of service (QoS). Synchronous QoS means that the notification ofthe event at the sender, the forwarding of the event to the destination,and the signaling of the event at the receiving end all take place inthe same execution path. RPC communication is used for this purpose. Bydefinition, this type of forwarding is guaranteed. However, RPC islimited in that the sending machine requires network connectivity to thereceiver at the time of forwarding. In a particular embodiment, theforwarding consumer uses DCOM for synchronous communication.

The three QoS classes listed below are called asynchronous because theforwarding of the event is not in the same execution path as thenotification of the event. Unlike synchronous forwarding, asynchronousforwarding uses messaging communication rather than RPC. This has theadvantage of being able to forward events even when the sender andreceiver are disconnected. The following are the Asynchronous QoSclasses:

Express. Express forwarding makes no guarantees that the message will bereceived at the destination. If an error is encountered in forwardingthen the event can be discarded. Because of the absence of a guarantee,however, express delivery is faster than any other asynchronous QoS.

Guaranteed. The guaranteed forwarding subsumes the express QoS class andalso provides a guarantee that the event will make it to the destinationat least once. This guarantee applies across machine and networkfailures.

Transactional. Transaction forwarding subsumes the guaranteed QoS classand also provides a guarantee that an event will make it to thedestination at most once.

The forwarding consumer uses MSMQ for Messaging Communication. UsingMSMQ allows the forwarding consumer to support offline forwarding andstore-and-forward for all asynchronous QoS classes.

Store-and-forward refers to the ability for a message to be forwarded toa remote destination machine even when the destination machine isunreachable or down. It also allows a message to be forwarded to thedestination when the source machine is unreachable or down. This meansthat a message can reach its destination even when the source ordestination machines are never reachable or up at the same time. This isaccomplished by forwarding the message to an intermediate machine if thedestination is not reachable. Store-and-forward is automatically theclass of delivery used when forwarding messages to a remote destinationusing an asynchronous QoS class.

Offline forwarding is the ability for a machine to forward messageswithout being connected to the network. The messages are stored locally,but when the machine goes back online, the messages are automaticallyforwarded. This is different than store-and-forward because, in thiscase, the sender does have connectivity to any machine, even theintermediate one used for store-and-forward. The two features can worktogether though. For example, it is possible that when the sendingmachine does come online, the receiving machine is down. In this case,the store-and-forward feature would be activated when the sendingmachine came online.

The target property of a forwarding consumer can contain one or moredestination addresses. Each address is represented in one of threeformats: network, indirect, or an MSMQ format name. When a forwardingconsumer needs to send a message and there are multiple destinationsspecified, then the message will be forwarded to the targets in theirorder of appearance until the send is successful. A successful messagesend depends on the delivery class.

A network target name is any valid IP address, NetBIOS name, or DNSname. For synchronous forwarding QoS, a network target name is used toperform communication over DCOM. For asynchronous forwarding QoS, anetwork target name is used to perform communication over MSMQ. In thiscase, the target MSMQ format name will be derived from the networktarget name and the delivery class property.

For most cases, the user will configure network target names and theforwarding consumer will derive the low-level address of the targetbased on how it is configured. To override this, the user can specify alow-level MSMQ target name.

There are three types of MSMQ format names. These are public, privateand direct.

Public—identifies a queue using a queue GUID.

Private—identifies a queue using a machine GUID and queue identifier.

Direct—identifies a queue using a protocol, queue location, and queuelogical name.

Each type of format name has implications for sending messages. Table 3below describes these implications. TABLE 3 Requires Sender RequiresSender and Receiver to be operating to be part of Supports in On-Linesame forest (or Store-And- Format/ mode when MSMQ enterprise for ForwardImplications sending messages non w2k domains) functionality Public YesYes Yes Private No Yes Yes Direct No No No

A valid Target MSMQ Format Name is any valid MSMQ format name prefixedwith MSMQ!.

An indirect target name can be used for indirect addressing. An indirecttarget name is any valid WMI instance object path prefixed by WMI! andsuffixed with !<PropertyName>. When specified, the forwarding consumerwill obtain the object specified in the address and use the specifiedproperty to determine the resolved address. The resolved address can beany valid network or MSMQ address, or list of valid network or MSMQaddresses. It cannot be another indirect address.

The following is an example of a valid indirect target name:wmi\\mymachine\root\default:myclass=“myinstance”:mypropWhen an indirect target name is encountered, the value of the specifiedproperty is obtained. The type of this property must be a string or anarray of strings. In both cases, the strings are treated as if they wereexplicitly listed in the targets property.

Each machine that can accept forwarded messages will have one or morewell-known entry points. For MSMQ, these entry points are MSMQ queues.For DCOM, this entry point is a DCOM server object that is implementedby the forwarding event provider.

It is typically not necessary to perform any configuration on thereceiver end of the forwarding consumer. However, it some circumstances,it may be necessary to query certain properties of the entry points andon even rarer occasions, be able to modify them. The following are thereasons why a user might need knowledge of the messaging entry points onthe receiver:

To set the queue disk quota for MSMQ entry points.

To obtain queue address information for manual configuration of thetarget address at the sending end.

Both of these are specific to MSMQ. The MSMQ provider will model thesequeues. The MSMQ snap-in can also be used to access these queues. Bothof these can perform the actions described above.

MSMQ Queues

All queues will have a default quota of 10 Meg.

All queues will have a security descriptor that allows only LocalSystemand administrators read and modify access, and allows everyone sendaccess.

An administrator can distinguish between MSMQ Queues used for forwardingand those used by other applications using the queue type property.

Queues used for event forwarding will have a queue type of:{BD29DFFF-7553-4d3b-840 1-4646AC9A70C6}

Each forwarding queue is either public or private. A public queue can bereferenced through a public or direct format name. A public queue canonly exist on machines that are online. A Private Queue can only bereferenced through a private or direct format name. There are norestrictions on the machine that private queues are created on.Furthermore, there are authenticated and non-authenticated versions ofthese queues.

When determining endpoint address information, the user must decidewhich of these types of queues they will want to use. The public/privateand authentication properties of a queue each have their own set ofrequirements on how they can be used. This primarily depends on MSMQinstallation type.

When a forwarding consumer executes, it generates trace events tofacilitate debugging. There are two types of trace events:MSFT_ForwardingConsumerTraceEvent; andMSFT_ForwardingConsumerTargetTraceEvent

For each event that is delivered to a forwarding consumer, there will beone MSFT_ForwardingConsumerTraceEvent generated which states the outcomeof the execution. For each target tried during this execution, therewill be one MSFT_ForwardingConsumerTargetTraceEvent generated statingthe outcome of the forwarding to that particular target. The schema forthese two classes as well as their base class is described below: classMSFT_ForwardingConsumerTraceEventBase : _ExtrinsicEvent {MSFT_ForwardingConsumer Consumer; _Event Event; string ExecutionId;uint32 StatusCode; };

This is the base class that all forwarding consumer trace events derivefrom.

“Consumer” is the forwarding consumer instance.

“Event” is the event that triggered the forwarding consumer.

“ExecutionId” is a GUID that is generated each time a forwardingconsumer is delivered an event.

“StatusCode” contains the outcome of the execution of the forwardingconsumer.  class     MSFT_ForwardingConsumerTraceEventMSFT_ForwardingConsumerTraceEventBase  {  string TargetUsed;  booleanQueued;  };

Each time a forwarding consumer executes, an instance of this event issignaled.

“TargetUsed” contains the address of the target that was used tosuccessfully forward the message. This property is NULL when“StatusCode” specifies an error.

“Queued” states whether the event was forwarded using RPC or was queued.This property will be NULL when “StatusCode” specifies an error.  classMSFT_ForwardingConsumerTargetTraceEvent:MSFT_ForwardingConsumerTraceEventBase  {   string Target;  };

“Target” specifies the address of the target that was used to attempt toforward an event. A “ForwardingConsumerTraceEvent” can be correlatedwith its “ForwardingConsumerTargetTrace” events using the “Executionld”parameter.

When forwarding using a synchronous QoS, all errors that can occur aredetected at the time of forwarding. With asynchronous forwarding,configuration errors can usually be detected at the time of forwardingas well. For these reasons, most errors can be detected by subscribingto the trace events described above (where status code specifies anerror).

There are some error cases with asynchronous forwarding that cannot bedetected at the time of forwarding. These errors are usually detectedmuch later. For this reason, an event is provided that will alert anysubscribers that an asynchronous error has occurred in forwarding. Thisevent is: class Win32_WmiForwardedAckEvent :Win32_WmiForwardedMessageEvent   {    Event Event;    uint32 Status;   string Target;    uint32 QoS;    boolean Authentication;    booleanEncryption;    string ConsumerPath;    string ExecutionId;   };

Note that it is derived from the forwarded message event so it possessesall of its properties and semantics as well.

“Event” is the original event that was forwarded.

“Status” contains the error code for the reason why the forwarded eventwas returned.

“QoS” contains the value of the QoS parameter when the message wasforwarded.

“Authentication” contains the value of the auth parameter when themessage was forwarded.

“ConsumerPath” contains the relpath of the forwarding consumer that wasresponsible for forwarding the message.

“Executionld” contains the Executionld that was used to forward theoriginal event. This id would be the same as the one contained in the“ForwardingConsumerTraceEvent” that was caused by the original eventbeing forwarded.

Forwarding Security

For messages that are forwarded synchronously over DCOM, then DCOMsecurity is used for authentication. For messages that are forwardedasynchronously over MSMQ, then MSMQ security is used for authentication.With respect to authentication, there are two types of entry points forreceiving messages: authenticated and unauthenticated. Any message thatis accepted by the authenticated entry point must have authenticationinformation associated with it. This is a responsibility of the sender.In other words, the sender's forwarding consumer must have theauthentication property set to “TRUE” in order to send to anauthenticated entry point (queue). For both types of security, thesender and receiver must be part of the same forest (or MSMQ enterprisein non-w2k domains) for authentication to be possible.

A forwarded event will contain the security identity of the sender, ifavailable. There is also a Boolean property on the event that specifiesif the event has been authenticated. An unauthenticated forwarded eventmay still contain the identity of the sender, but only when theauthenticated property is set to “TRUE” is this property to be believed.Forwarded events that are returned to the sender asynchronously becauseof some failure, are always verified that they actually originated fromthe sender.

WMI events support access control on subscriptions and on events. Accesscontrol on subscriptions state the security identity of the eventproviders that the subscriber is willing to receive events from. Accesscontrol on events state what security identities can subscribe to theevent. When a forwarded event is signaled on the receiver, the id of thesender will be used to perform the access check controlling access tosubscribers. If the forwarded event has not been authenticated, thendelivery of this event will only occur to subscribers who allow“everyone” access. The forwarded event will also be signaled with asecurity descriptor that is passed from the sender.

Sender

For all types of forwarding QoS, if the authenticate property is set to“TRUE” on the forwarding consumer, then it will attach authenticationinfo with the message and send it to the authenticated entry point onthe target. If the property is set to “FALSE”, then the message is sentto the unauthenticated entry point on the target.

The sending identity of forwarded messages depends on two factors:platform and type of forwarding consumer. For event forwardingconsumers, the identity of the message depends on the“MaintainSecurityContext” property of the binding to the forwardingconsumer. If the “MaintainSecurityContext” property is “TRUE”, then thesecurity principal attached to the forwarded messages will be the sameas the event providers. If the “MaintainSecurityContext” property is“FALSE” or in the case of a data forwarding consumer, the message issent using the account that winmgmt is running under. For all NTplatforms, this account is Localsystem. On win2k and higher platformsthis identity be used for authentication. On older platforms,authentication cannot occur unless the forwarding consumer is run out ofproc to winmgmt. This is possible, but will require that theadministrator adjust the DCOM registration of the forwarding consumer torun out-of-proc and under a specific domain account.

For authenticated asynchronous forwarding, the sending securityprincipal is registered with MSMQ. When the forwarding consumer isinitialized, it will try to register the account it is running underwith MSMQ. Registration occurs when the machine is running in onlinemode.

Only in the case where “MaintainSecurityContext” is set to “TRUE”, theforwarding consumer is an event Forwarding consumer, the forwarding QoSis asynchronous, and the platform is not win2k or higher will theadministrator be responsible for registering the account with MSMQmanually.

The forwarding consumer will have the ability to specify a DACL tocontrol what consumers can receive the messages on the receiving end. Bydefault, there will be no DACL, thereby allowing all consumers tosubscribe to messages that the forwarding consumer sends. Anadministrator must construct the DACL to set on the forwarding consumer.This can be done using Win32 Security APIs or through scripting helperobjects.

A forwarding consumer will encrypt all messages that it sends when its“Encrypt” property is set to “TRUE”. Encryption of messages cannot beperformed when the sending machine is offline. Encryption cannot be usedwhen forwarding messages to a machine outside the win2k forest (MSMQenterprise for non-win2k domains).

The forwarding consumer will be part of a WMI installation. The schemafor the forwarding consumer will exist in the root\default namespace.Installation of the schema of the forwarding consumer will be installedby default into the root\default namespace, but can be installed by theuser in other namespaces.

The forwarding receiver will support MSMQ independent client and serverinstallations.

There are two modes of operation for the forwarding consumer andreceiver with respect to MSMQ: Online and Offline. These terms refer toconnectivity to an MSMQ Server. There are two types of MSMQinstallations: Workgroup and Domain. A workgroup installation is alwaystreated as Offline.

On initialization of winmgmt, domain membership and connectivity to a DCare checked. If both are true, then winmgmt will operate in Online modewith respect to MSMQ. If not, then it operates in Offline Mode.

FIG. 6 illustrates an example of a suitable operating environment inwhich the event management system described herein may be implemented.The illustrated operating environment is only one example of a suitableoperating environment and is not intended to suggest any limitation asto the scope of use or functionality of the invention. Other well-knowncomputing systems, environments, and/or configurations that may besuitable for use with the invention include, but are not limited to,personal computers, server computers, hand-held or laptop devices,multiprocessor systems, microprocessor-based systems, programmableconsumer electronics, gaming consoles, cellular telephones, network PCs,minicomputers, mainframe computers, distributed computing environmentsthat include any of the above systems or devices, and the

FIG. 6 shows a general example of a computer 442 that can be used inaccordance with the invention. Computer 442 is shown as an example of acomputer that can perform the various functions described herein.Computer 442 includes one or more processors or processing units 444, asystem memory 446, and a bus 448 that couples various system componentsincluding the system memory 446 to processors 444.

The bus 448 represents one or more of any of several types of busstructures, including a memory bus or memory controller, a peripheralbus, an accelerated graphics port, and a processor or local bus usingany of a variety of bus architectures. The system memory 446 includesread only memory (ROM) 450 and random access memory (RAM) 452. A basicinput/output system (BIOS) 454, containing the basic routines that helpto transfer information between elements within computer 442, such asduring start-up, is stored in ROM 450. Computer 442 further includes ahard disk drive 456 for reading from and writing to a hard disk, notshown, connected to bus 448 via a hard disk drive interface 457 (e.g., aSCSI, ATA, or other type of interface); a magnetic disk drive 458 forreading from and writing to a removable magnetic disk 460, connected tobus 448 via a magnetic disk drive interface 461; and an optical diskdrive 462 for reading from and/or writing to a removable optical disk464 such as a CD ROM, DVD, or other optical media, connected to bus 448via an optical drive interface 465. The drives and their associatedcomputer-readable media provide nonvolatile storage of computer readableinstructions, data structures, program modules and other data forcomputer 442. Although the exemplary environment described hereinemploys a hard disk, a removable magnetic disk 460 and a removableoptical disk 464, it will be appreciated by those skilled in the artthat other types of computer readable media which can store data that isaccessible by a computer, such as magnetic cassettes, flash memorycards, random access memories (RAMs), read only memories (ROM), and thelike, may also be used in the exemplary operating environment.

A number of program modules may be stored on the hard disk, magneticdisk 460, optical disk 464, ROM 450, or RAM 452, including an operatingsystem 470, one or more application programs 472, other program modules474, and program data 476. A user may enter commands and informationinto computer 442 through input devices such as keyboard 478 andpointing device 480. Other input devices (not shown) may include amicrophone, joystick, game pad, satellite dish, scanner, or the like.These and other input devices are connected to the processing unit 444through an interface 468 that is coupled to the system bus (e.g., aserial port interface, a parallel port interface, a universal serial bus(USB) interface, etc.). A monitor 484 or other type of display device isalso connected to the system bus 448 via an interface, such as a videoadapter 486. In addition to the monitor, personal computers typicallyinclude other peripheral output devices (not shown) such as speakers andprinters.

Computer 442 operates in a networked environment using logicalconnections to one or more remote computers, such as a remote computer488. The remote computer 488 may be another personal computer, a server,a router, a network PC, a peer device or other common network node, andtypically includes many or all of the elements described above relativeto computer 442, although only a memory storage device 490 has beenillustrated in FIG. 6. The logical connections depicted in FIG. 6include a local area network (LAN) 492 and a wide area network (WAN)494. Such networking environments are commonplace in offices,enterprise-wide computer networks, intranets, and the Internet. Incertain embodiments, computer 442 executes an Internet Web browserprogram (which may optionally be integrated into the operating system470) such as the “Internet Explorer” Web browser manufactured anddistributed by Microsoft Corporation of Redmond, Wash.

When used in a LAN networking environment, computer 442 is connected tothe local network 492 through a network interface or adapter 496. Whenused in a WAN networking environment, computer 442 typically includes amodem 498 or other means for establishing communications over the widearea network 494, such as the Internet. The modem 498, which may beinternal or external, is connected to the system bus 448 via a serialport interface 468. In a networked environment, program modules depictedrelative to the personal computer 442, or portions thereof, may bestored in the remote memory storage device. It will be appreciated thatthe network connections shown are exemplary and other means ofestablishing a communications link between the computers may be used.

Computer 442 typically includes at least some form of computer readablemedia. Computer readable media can be any available media that can beaccessed by computer 442. By way of example, and not limitation,computer readable media may comprise computer storage media andcommunication media. Computer storage media includes volatile andnonvolatile, removable and non-removable media implemented in any methodor technology for storage of information such as computer readableinstructions, data structures, program modules or other data. Computerstorage media includes, but is not limited to, RAM, ROM, EEPROM, flashmemory or other memory technology, CD-ROM, digital versatile disks (DVD)or other optical storage, magnetic cassettes, magnetic tape, magneticdisk storage or other magnetic storage devices, or any other media whichcan be used to store the desired information and which can be accessedby computer 442. Communication media typically embodies computerreadable instructions, data structures, program modules or other data ina modulated data signal such as a carrier wave or other transportmechanism and includes any information delivery media. The term“modulated data signal” means a signal that has one or more of itscharacteristics set or changed in such a manner as to encode informationin the signal. By way of example, and not limitation, communicationmedia includes wired media such as wired network or direct-wiredconnection, and wireless media such as acoustic, RF, infrared and otherwireless media. Combinations of any of the above should also be includedwithin the scope of computer readable media.

The invention has been described in part in the general context ofcomputer-executable instructions, such as program modules, executed byone or more computers or other devices. Generally, program modulesinclude routines, programs, objects, components, data structures, etc.that perform particular tasks or implement particular abstract datatypes. Typically the functionality of the program modules may becombined or distributed as desired in various embodiments.

For purposes of illustration, programs and other executable programcomponents such as the operating system are illustrated herein asdiscrete blocks, although it is recognized that such programs andcomponents reside at various times in different storage components ofthe computer, and are executed by the data processor(s) of the computer.

Although the description above uses language that is specific tostructural features and/or methodological acts, it is to be understoodthat the invention defined in the appended claims is not limited to thespecific features or acts described. Rather, the specific features andacts are disclosed as exemplary forms of implementing the invention.

1. An event management system comprising: a set of event consumers, eachof the event consumers being configured to perform an action in responseto an occurrence of an event; and an event management module configuredto create: an event filter object having at least two properties thatidentify events that are intended to cause one or more actions to beperformed; and a binding object specifying at least two bindingproperties to bind the event filter object to one or more of the eventconsumers that are capable of performing the one or more actions toinvoke the one or more event consumers when the properties presented bythe event filter object match the binding properties.
 2. An eventmanagement system of claim 1, wherein the set of event consumersincludes at least one of: an email consumer configured to handle emailmessages; a paging consumer configured to generate a page message; anactive scripting consumer configured to execute at least one script; alog file consumer configured to record information in a log file; anevent log consumer configured to log messages to an event log; and acommand line consumer configured to launch at least one process.
 3. Anevent management system of claim 2, wherein the email consumer is anSMTP consumer.
 4. An event management system of claim 2, wherein theevent log consumer is an NT event log consumer.
 5. An event managementsystem of claim 2, further comprising a forwarding consumer to forwardevents.
 6. An event management system of claim 1, wherein events in theevent management system are represented as objects.
 7. An eventmanagement system of claim 1, wherein each consumer in the eventmanagement system is represented as a class.
 8. An event managementsystem of claim 1, wherein the event management module is configured,independent of the event filter object and the set of event consumers,to provide selective association and disassociation of the event filterobject and the event consumers.
 9. An event management system of claim1, further comprising an event provider, wherein the event providerincludes at least one of: a Win32 provider; a Windows Driver Model (WDM)provider; an event log provider; a registry provider; a performancecounter provider; a active directory provider; a Windows installerprovider; and a Simple Network Management Protocol (SNMP) provider. 10.A computer system comprising: an event provider configured to generateevents; an event consumer selected from a set of event consumers, theevent consumer being configured to perform an action in response to anoccurrence of an event generated by the event provider; an event filterconfigured to specify at least two properties about the event inresponse to the occurrence of the event; and a binding object specifyingat least two binding properties to bind the event filter to at least oneselected event consumer to invoke the selected event consumer when theproperties specified by the event filter match the binding properties.11. A computer system of claim 10, wherein the set of event consumersinclude at least one of: an email consumer configured to send at leastone email message; a paging consumer configured to send at least onepage message; an active scripting consumer configured to execute atleast one script; a log file consumer configured to record informationin a log file; an event log consumer configured to log at least onemessage to an event log; and a command line consumer configured tolaunch at least one process.
 12. A computer system of claim 10, whereinthe event providers includes at least one of: a Win32 provider; aWindows Driver Model (WDM) provider; an event log provider; a registryprovider; a performance counter provider; a active directory provider; aWindows installer provider; and a Simple Network Management Protocol(SNMP) provider.
 13. A computer system of claim 10, wherein the eventconsumer includes an instance of a class associated with an applicationprogram.
 14. A computer system of claim 10, wherein the event filterincludes an instance of a class associated with an application program.15. A computer system of claim 10, further comprising an eventmanagement module configured, independent of the event filter and theset of event consumers, to provide selective association anddisassociation of the event filter and the event consumers.
 16. Acomputer implemented method, comprising: implementing a plurality ofevent filters, wherein each of the event filters specifies at least onecriterion indicative of a triggering event potentially arising within acomputing system; implementing a plurality of event consumers, each ofthe event consumers being configured to perform at least one action; andimplementing at least one binding object, wherein the binding object isconfigured to provide selective association of at least one of the eventfilters with with at least one of the event consumers, such that whenthe binding object selectively associates the triggering event with aselected event consumer, the binding object causes the selected eventconsumer to be executed upon an occurrence of the triggering event. 17.A method of claim 16, wherein the binding object is configured toprovide selective association of between at least one of the pluralityof event filters consumers with at least one of the plurality of eventconsumers independently of the plurality of event filters and pluralityof event consumers.
 18. A method of claim 16, wherein the binding objectis configured to provide selective association of a selected pluralityof event filters with a single selected event consumer.
 19. The methodof claim 16, wherein the binding object is configured to provideselective association of a single selected event filter with a selectedplurality of event consumers.
 20. The method of claim 16, wherein atleast one of the plurality of event filters is configured to perform atleast one action, including: sending an email; generate a page message;execute at least one script; recording information in a log file;logging messages to an event log; and launching at least one process.